Multi-Layers of Information Security in Emergency Response

Introduction

One dimension of information security that is increasingly enjoying attention in emergency organizations is that of emergency responders maintaining information security while operating various types of technical devices and complying with organizational security frameworks, such as the information security guidelines. The context of emergency response (ER) is a domain which involves rapid and intricate cross-boundary socio-technical communications to manage undefined situations (Turoff, 2002), often under pressure while engaged in the act of rescuing people and saving lives (Harrald, 2006). In contrast to mainstream information security (Dhillon & Backhouse, 2001; Siponen & Oinas-Kukkonen, 2007) emergency response challenges responders to exploit their cognitive ability so as to avoid disclosure of sensitive information to unauthorized individuals. In the emergency response literature, cognition is seen as: “..execution of a set of behaviors that an individual is expected to be able to perform” (Mendonça et al., 2007, p. 47), and deemed as a critical construct for the capacity to manage the nonlinear structure of emergency response (Comfort, 2007).

As enacting information security increasingly manifests itself as a fundamental part of communication patterns in emergency response, it is appropriate to ask how information is shared and acted upon, rather than how it is protected. To this end, we define information security in the context of emergency response as a process of three interoperable layers; technical, cognitive, and organizational to render a secure emergency response environment. This definition is consistent with previous research on secure communications that incorporates technical, conceptual, and organizational views on access to IT, secure communication, security management, and security design (Siponen & Oinas-Kukkonen, 2007).

To develop the argument for multi-layers of information security, we draw on Actor Network Theory (Bardini, 1997; Latour, 2005; Walsham, 1997) to conceptualize how actors associate with one another and other on-site emergency actors. That is, how they utilize cognitive capability to maintain secure information sharing channels during emergency response operations. Second, we use theory of organizational routines (Pentland & Feldman, 2007) to characterize the organization of emergency response routines, which inform the entire community of emergency responders about rules and obligations in emergency response. These two theoretical bodies were used as an initial guide to design a single case study with data collection undertaken from the three emergency response departments; Fire Dept, Police Dept, and Para Dept. We closely observed how information security was appreciated, considered, and managed during emergency response.

The paper proceeds as follows. First, we review selected research contributions in the field of emergency response to characterize its context. In this review we discuss how emergency actor networks shape response capability to enact the associations defined by constitutive actors. We end the review with diagnosing the formal organization and its generally accepted premises for emergency response. Third, information security is introduced and its relevance in the context of emergencies is discussed. Fourth, we present the result of the analysis and finally we offer an alternative understanding of information security that is meaningful in the emergency response context.